1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
scenario TrustAnchors
entity RootCA
type Root
entity CA1
type Intermediate
issuer RootCA
entity CA2
type Intermediate
issuer CA1
entity EE1
type EE
issuer CA2
entity OtherRoot
type Root
entity OtherIntermediate
type Intermediate
issuer OtherRoot
entity EE2
type EE
issuer OtherIntermediate
# Scenarios where trust only comes from the DB
db DBOnly
import RootCA::CT,C,C
import CA1:RootCA:
# Simple chaining - no trust anchors
verify EE1:CA2
cert CA2:CA1
result pass
# Simple trust anchors - ignore the Cert DB
verify EE1:CA2
trust CA2:CA1
result pass
# Redundant trust - trust anchor and DB
verify EE1:CA2
cert CA2:CA1
trust RootCA
result pass
# Scenarios where trust only comes from trust anchors
db TrustOnly
# Simple checking - direct trust anchor
verify EE1:CA2
cert CA2:CA1
cert CA1:RootCA:
trust RootCA:
result pass
# Partial chain (not self-signed), with a trust anchor
verify EE1:CA2
trust CA2:CA1
result pass
# Scenarios where trust comes from both trust anchors and the DB
db TrustAndDB
import RootCA::CT,C,C
import CA1:RootCA:
# Check that trust in the DB works
verify EE1:CA2
cert CA2:CA1
result pass
# Check that trust anchors work
verify EE2:OtherIntermediate
cert OtherIntermediate:OtherRoot
trust OtherRoot:
result pass
# Check that specifying a trust anchor still allows searching the cert DB
verify EE1:CA2
trust_and_db
cert CA2:CA1
trust OtherIntermediate:OtherRoot
trust OtherRoot:
result pass
# Scenarios where the trust DB has explicitly distrusted one or more certs,
# even when the trust anchors indicate trust
db ExplicitDistrust
import RootCA::CT,C,C
import CA1:RootCA:p,p,p
import OtherRoot::p,p,p
# Verify that a distrusted intermediate, but trusted root, is rejected.
verify EE1:CA2
cert CA2:CA1
trust CA1:RootCA
result fail
# Verify that a trusted intermediate, but distrusted root, is accepted.
verify EE2:OtherIntermediate
trust OtherIntermediate:OtherRoot
result pass
|